Hello,
I’d like to know what the current state is around the kernel patches for AppArmor, etc to be supported in Ubuntu Core.
I have recently built a kernel/image for a Pi Zero 2W, but not sure what else is required to get AppArmor working.
My .config on the kernel compiled (AppArmor):
Any help? I would like to have full confinement on this.
I used the latest kernel ‘master’ branch from the Raspbery Pi Foundation’s Github page:
there are infos about the patches at
the last post in that thread links to another, more detailed post …
here is a 5.1 rpi-foundation kernel snap that i once built (i switched to the ubuntu kernel source with the next commit, but it should show you how to add/apply the patches and required configs in a snap context)
You could use the Pi kernel from Ubuntu which should include the necessary AppArmor patches and then add any custom patches on top.
I know that there has been many kernel repos/sources (still there is?), not sure which one to use.
I am not sure if there’s any gadget/kernel support for the new Pi Zero 2W with Ubuntu’s kernel yet, hence I built my own gadget/kernel to boot this board, to see how it would run on it.
I have another CM4 board that needs some AppArmor patches (running a out-of-tree patched kernel to support RS-485).
I am busy compiling the new patched kernel, albeit with some small changes to the patch itself. I will post a 5.10.x compatible? AppArmor patch soon.
Hello, thanks for the links and patches. However, after patching the foundation kernel, it still does not want to start apparmor?
I think the security team can have a look at this and give pointers?
Results:
I think I found the problem, I have enabled apparmor at-last.
I have added “lsm=apparmor apparmor=1” to cmdline.txt.
I know it is a dirty hack, but then I know I don’t have to use the Ubuntu-kernel necessarily.
snap debug confinement reports “strict”, happy days.
And with that, here is a link to a 5.10.x compatible AppArmor patch for a custom kernel. (Includes the snappy patches too)
You should be able to set that though CONFIG_LSM and CONFIG_SECURITY_APPARMOR in your kernel config.
Here is another link to the same files:
Should anything happen to the other Git repo, this one is still valid, I hope.
